HIPAA FOR THE
DENTAL PRACTICE
Catherine C. Cownie Adam J. Freed
E-mail: [email protected] E-mail: [email protected] Telephone: 515-242-2490 Telephone: 515-242-2402
BrownWinick 666 Grand Avenue, Suite 2000
Des Moines, IA 50309-2510 Website:www.brownwinick.com
Questions to Ask
About Your Practice
When was the last time you completed a HIPAA risk
assessment?
Do you have a written HIPAA compliance plan?
If you have a compliance plan, when was the last time you reviewed it?
When was the last time you provided training to your employees regarding HIPAA?
Other than your employees, who has access to your patients’
dental records?
Who is your Privacy Officer?
Who is your Security Officer?
Applicable Laws
• Rules of the Iowa Dental Board
• HIPAA
• Other Laws Applicable to Specific
Categories of Information
Substance Abuse
Mental Health
HIV/AIDS
Employment
Iowa Dental Board Rules
27.11(2)
Retention of records
. A dentist shall
maintain a patient’s dental record for a minimum of
six years after the date of last examination,
prescription, or treatment. Records for minors shall
be maintained for a minimum of either (a) one year
after the patient reaches the age of majority (18), or
(b) six years, whichever is longer. Proper
safeguards shall be maintained to ensure safety of
records from destructive elements.
Iowa Dental Board Rules
•
27.11(3)
Electronic record keeping
. The
requirements of this rule apply to electronic
records as well as to records kept by any other
means. When electronic records are kept, a
dentist shall keep either a duplicate hard copy
record or use an unalterable electronic record.
Iowa Dental Board Rules
27.11(5)Confidentiality and transfer of records. Dentists shall preserve the confidentiality of patient records in a manner consistent with the protection of the welfare of the patient. Upon request of the patient or patient’s legal guardian, the dentist shall furnish the dental records or copies or summaries of the records, including dental radiographs or copies of the radiographs that are of diagnostic quality, as will be beneficial for the future treatment of that patient. The dentist may charge a nominal fee for duplication of records, but may not refuse to transfer records for nonpayment of any fees.
HIPAA and HITECH
H
ealth
I
nsurance
P
ortability and
A
ccountability
A
ct
H
ealth
I
nformation
T
echnology for
E
conomic and
C
linical
H
ealth Act
HIPAA Applies to
“Protected Health Information”
“Protected Health Information”
includes any information that identifies a
patient, regardless of whether the
information seems private or sensitive.
“PHI” Includes Dental Records
Maintained Pursuant to
Iowa Dental Board Rules
The rules of the Iowa Dental Board require the
following in dental records:
•
Name, date of birth, address and, if a minor, name of parent or guardian.•
Name and telephone number of emergency contact.•
The patient’s dental and medical history.•
When a patient presents with a chief complaint, dental records shall include the patient’s stated oral health care reasons for visiting the dentist.“PHI” Includes Dental Records
Maintained Pursuant to
Iowa Dental Board Rules
The rules of the Iowa Dental Board require the
following in dental records (cont.):
•
Chronological dates and descriptions of the following: Clinical examination findings, tests conducted, and a summary of all pertinent diagnoses;
Plan of intended treatment and treatment sequence;
Services rendered and any treatment complications;
All radiographs, study models, and periodontal charting, if applicable;
Name, quantity, and strength of all drugs dispensed, administered, or prescribed; and
Name of dentist, dental hygienist, or any other auxiliary, who performs any treatment or service or who may have contact with a patient regarding the patient’s dental health.
•
Documentation of informed consent.Who Must Comply with HIPAA?
• Health plans
• Health care clearinghouses
• Health care providers who transmit health information in electronic form
Covered
Entities
• A person who creates, receives, maintains, or transmits protected health information on behalf of a covered entity
• NOT a member of the covered entity’s workforce
Business
Associates
Likely Business Associates of
Your Dental Practice
• Electronic dental record provider
• Information technology support provider
• Claims processor
• Third-party billing company
• Law firm
• Accounting firm
Business Associates Now Include
Subcontractors of Your Business Associates
A “
business associate
” includes “a
subcontractor that creates, receives, maintains,
or transmits protected health information on
behalf of the business associate.”
Who Must Comply with HIPAA?
(cont.)Dentist Dental Plan
Lawyer, Accountant,
Billing Co.
Employees
Patient
Lawyer’s IT Provider
“Covered Entity”
“Workforce Members”
“Business Associates”
“Subcontractor Business Associates”
What Documentation Should a Dental
Practice Request from its Business
Associates?
A business associate must provide
“
satisfactory assurances
” that it will
appropriately safeguard the information.
The Business Associate provides the
satisfactory assurances in a
“
Business Associate Agreement
.”
So I’m Subject to HIPAA—Now
What Do I Do?
HIPAA requires covered entities and business
associates to implement administrative,
physical, and technical safeguards to ensure
the confidentiality, integrity, and availability of
electronic protected health information.
STEP 1:
Conduct a Risk Assessment
• HIPAA requires covered entities and business
associates to conduct “an accurate and thorough
assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health
information held by the covered entity or business
associate.”
• The risk assessment must be prepared in writing.
STEP 1:
Conduct a Risk Assessment
(cont.)• Possible Vulnerabilities (not an exhaustive list):
No off-site back-up of electronic PHI.
Lack of a Business Associate Agreement with one or more business associates
Protected health information stored in unencrypted format
Insufficient user access controls to computer systems containing PHI
Passwords taped to the side of monitors
Storage of PHI on portable devices that could be lost or stolen
Routine discussion of care with patients in area where other patients are present (such as the waiting room)
STEP 2:
Correct Any Deficiencies Identified
• If your risk assessment
identifies any risks,
determine what steps
are necessary to
eliminate or minimize
the risk.
•
Document
the steps
you take to eliminate or
minimize the risk.
STEP 3:
Develop Written Policies and Procedures
• Establish protocols for your administrative, physical, and technical safeguards, such as the following:
How often and where electronic PHI is backed up
Password content requirements and how often they must be changed
Which workforce members have keys to the office
When and how training is provided to new and current workforce members
Termination of access to PHI by former employees
Restrictions on use of portable devices for electronic PHI
Use of antivirus software
STEP 3:
Develop Written Policies and Procedures
(cont.) • Specify processes for complying with your patients’ rightsunder HIPAA, including their rights to
Access their PHI
Amend their PHI
Obtain a list of disclosures of their PHI
• Establish a procedure to follow if you are unable to access your electronic PHI
• Establish a procedure to follow in the event of a breach of electronic PHI
• Establish a sanction policy for employees who fail to comply with the policies and procedures
STEP 4:
Train Your Workforce on the Policies
and Procedures
• Provide initial training to all employees
upon adoption of the policy
• Include HIPAA training in the orientation
for new employees
• Periodically hold “refresher” courses for
current employees
• Periodically send out reminders to
employees
STEP 5:
Monitor Compliance with Policies and
Procedures and Revise as Necessary
Risk Assessment
Correct Deficiencies
Implement Procedures Train
Workforce Monitor Compliance
HIPAA
Compliance is an
Ongoing Process
HIPAA Example
• [Insert Video]
HIPAA Issues
Identified in the Example
• Elaine could have simply requested a copy of her
medical record from her physician.
• Physician reviewing x-ray image in plain view of
everyone in the lobby.
• “Fake Erase”: The rules of the Iowa Dental Board
do not permit erasures or white-outs in dental
records. Changes can only be made by drawing
a single line through the incorrect information and
initialing the change.
Consequences of Failing to
Comply with HIPAA and HITECH
• Discipline by Iowa Dental Board
• Must report breaches of PHI to HHS Office of Civil Rights • Must report major breaches of PHI to local news media • Civil penalties of $100 up to $50,000 per violation
depending on severity
• Criminal penalties of up to 10 years in prison for intentional violations
• State Attorneys General can enforce HIPAA • Damage to reputation and loss of confidence among
patients
Recent Examples of
HIPAA Breaches
Recent Examples of
HIPAA Breaches
Recent Examples of
HIPAA Breaches
Website:www.brownwinick.com
Toll Free Phone Number: 1-888-282-3515 OFFICE LOCATIONS: 666 Grand Avenue, Suite 2000 Des Moines, Iowa 50309-2510 Telephone: (515) 242-2400 Facsimile: (515) 283-0231
616 Franklin Place Pella, Iowa 50219 Telephone: (641) 628-4513 Facsimile: (641) 628-8494
DISCLAIMER: No oral or written statement made by BrownWinick attorneys should be interpreted by the recipient as suggesting a need to obtain legal counsel from BrownWinick or any other firm, nor as suggesting a need to take legal action. Do not attempt to solve individual problems upon the basis of general information provided
